fix(iast): resolve PosixPath error in os.path patching [backport 3.3] (#13099)

github-actions[bot] · avara1986 · web-flow · commit 4772acfa46ee · 2025-04-08T14:26:49.000-04:00
Backport 303bae7 from #13085 to 3.3. This PR fixes an issue with PosixPath handling in IAST path operations. The changes: - Fix os.path patching errors in IAST taint tracking - Improve path operations in aspects.py - Add test coverage for os.path aspects ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) --------- Co-authored-by: Alberto Vara <alberto.vara@datadoghq.com>
diff --git a/ddtrace/appsec/_iast/_taint_tracking/aspects.py b/ddtrace/appsec/_iast/_taint_tracking/aspects.py
@@ -2,6 +2,7 @@
 from builtins import bytes as builtin_bytes
 import codecs
 import itertools
+import os
 from re import Match
 from re import Pattern
 from types import BuiltinFunctionType
@@ -61,14 +62,6 @@
 add_inplace_aspect = aspects.add_inplace_aspect
 index_aspect = aspects.index_aspect
 modulo_aspect = aspects.modulo_aspect
-ospathbasename_aspect = _aspect_ospathbasename
-ospathdirname_aspect = _aspect_ospathdirname
-ospathjoin_aspect = _aspect_ospathjoin
-ospathnormcase_aspect = _aspect_ospathnormcase
-ospathsplit_aspect = _aspect_ospathsplit
-ospathsplitdrive_aspect = _aspect_ospathsplitdrive
-ospathsplitext_aspect = _aspect_ospathsplitext
-ospathsplitroot_aspect = _aspect_ospathsplitroot
 rsplit_aspect = _aspect_rsplit
 slice_aspect = aspects.slice_aspect
 split_aspect = _aspect_split
@@ -1263,3 +1256,83 @@ def re_expand_aspect(orig_function: Optional[Callable], flag_added_args: int, *a
         iast_propagation_error_log(f"re_expand_aspect. {e}")
 
     return result
+
+
+def ospathjoin_aspect(*args: Any, **kwargs: Any) -> Any:
+    if all(isinstance(arg, IAST.TEXT_TYPES) for arg in args):
+        try:
+            return _aspect_ospathjoin(*args, **kwargs)
+        except Exception as e:
+            iast_propagation_error_log(f"ospathjoin_aspect. {e}")
+
+    return os.path.join(*args, **kwargs)
+
+
+def ospathbasename_aspect(*args: Any, **kwargs: Any) -> Any:
+    if all(isinstance(arg, IAST.TEXT_TYPES) for arg in args):
+        try:
+            return _aspect_ospathbasename(*args, **kwargs)
+        except Exception as e:
+            iast_propagation_error_log(f"_aspect_ospathbasename. {e}")
+
+    return os.path.basename(*args, **kwargs)
+
+
+def ospathdirname_aspect(*args: Any, **kwargs: Any) -> Any:
+    if all(isinstance(arg, IAST.TEXT_TYPES) for arg in args):
+        try:
+            return _aspect_ospathdirname(*args, **kwargs)
+        except Exception as e:
+            iast_propagation_error_log(f"_aspect_ospathdirname. {e}")
+
+    return os.path.dirname(*args, **kwargs)
+
+
+def ospathnormcase_aspect(*args: Any, **kwargs: Any) -> Any:
+    if all(isinstance(arg, IAST.TEXT_TYPES) for arg in args):
+        try:
+            return _aspect_ospathnormcase(*args, **kwargs)
+        except Exception as e:
+            iast_propagation_error_log(f"ospathnormcase_aspect. {e}")
+
+    return os.path.normcase(*args, **kwargs)
+
+
+def ospathsplit_aspect(*args: Any, **kwargs: Any) -> Any:
+    if all(isinstance(arg, IAST.TEXT_TYPES) for arg in args):
+        try:
+            return _aspect_ospathsplit(*args, **kwargs)
+        except Exception as e:
+            iast_propagation_error_log(f"ospathnormcase_aspect. {e}")
+
+    return os.path.split(*args, **kwargs)
+
+
+def ospathsplitdrive_aspect(*args: Any, **kwargs: Any) -> Any:
+    if all(isinstance(arg, IAST.TEXT_TYPES) for arg in args):
+        try:
+            return _aspect_ospathsplitdrive(*args, **kwargs)
+        except Exception as e:
+            iast_propagation_error_log(f"_aspect_ospathsplitdrive. {e}")
+
+    return os.path.splitdrive(*args, **kwargs)
+
+
+def ospathsplitext_aspect(*args: Any, **kwargs: Any) -> Any:
+    if all(isinstance(arg, IAST.TEXT_TYPES) for arg in args):
+        try:
+            return _aspect_ospathsplitext(*args, **kwargs)
+        except Exception as e:
+            iast_propagation_error_log(f"_aspect_ospathsplitext. {e}")
+
+    return os.path.splitext(*args, **kwargs)
+
+
+def ospathsplitroot_aspect(*args: Any, **kwargs: Any) -> Any:
+    if all(isinstance(arg, IAST.TEXT_TYPES) for arg in args):
+        try:
+            return _aspect_ospathsplitroot(*args, **kwargs)
+        except Exception as e:
+            iast_propagation_error_log(f"_aspect_ospathsplitroot. {e}")
+
+    return os.path.splitroot(*args, **kwargs)  # type: ignore[attr-defined]
diff --git a/releasenotes/notes/iast-posixpath-error-d186b1596893098f.yaml b/releasenotes/notes/iast-posixpath-error-d186b1596893098f.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Code Security: Fixed an issue with PosixPath handling in path operations that could cause
+    errors during taint tracking. This fix improves stability and slightly reduces
+    import times.
diff --git a/tests/appsec/iast/aspects/test_ospath_aspects.py b/tests/appsec/iast/aspects/test_ospath_aspects.py
@@ -1,6 +1,9 @@
 import os
+from pathlib import PosixPath
 import sys
 
+from hypothesis import given
+from hypothesis.strategies import text
 import pytest
 
 from ddtrace.appsec._iast._taint_tracking import OriginType
@@ -176,10 +179,130 @@ def test_ospathjoin_last_slash_tainted():
     assert get_tainted_ranges(res) == [TaintRange(0, 4, Source("test_ospath", "/bar", OriginType.PARAMETER))]
 
 
+@given(text())
+def test_ospathbasename_no_exceptions(string_):
+    assert os.path.basename(PosixPath(string_)) == ospathbasename_aspect(PosixPath(string_))
+    assert os.path.basename(string_) == ospathbasename_aspect(string_)
+
+
+def test_ospathbasename_wrong_arg():
+    with pytest.raises(TypeError):
+        _ = os.path.basename(42, "333")
+
+    with pytest.raises(TypeError):
+        _ = os.path.basename(42)
+
+    with pytest.raises(TypeError):
+        _ = os.path.basename(["a", "b", "c"])
+
+    with pytest.raises(TypeError):
+        _ = ospathbasename_aspect(42, "333")
+
+    with pytest.raises(TypeError):
+        _ = ospathbasename_aspect(42)
+
+    with pytest.raises(TypeError):
+        _ = ospathbasename_aspect(["a", "b", "c"])
+
+
+@given(text())
+def test_ospathdirname_no_exceptions(string_):
+    assert os.path.dirname(PosixPath(string_)) == ospathdirname_aspect(PosixPath(string_))
+    assert os.path.dirname(string_) == ospathdirname_aspect(string_)
+
+
+def test_ospathdirname_wrong_arg():
+    with pytest.raises(TypeError):
+        _ = os.path.dirname(42, "333")
+
+    with pytest.raises(TypeError):
+        _ = os.path.dirname(42)
+
+    with pytest.raises(TypeError):
+        _ = os.path.dirname(["a", "b", "c"])
+
+    with pytest.raises(TypeError):
+        _ = ospathdirname_aspect(42, "333")
+
+    with pytest.raises(TypeError):
+        _ = ospathdirname_aspect(42)
+
+    with pytest.raises(TypeError):
+        _ = ospathdirname_aspect(["a", "b", "c"])
+
+
+@given(text())
+def test_ospathjoin_no_exceptions(string_):
+    assert os.path.join(PosixPath(string_), string_) == ospathjoin_aspect(PosixPath(string_), string_)
+    assert os.path.join(PosixPath(string_)) == ospathjoin_aspect(PosixPath(string_))
+    assert os.path.join(string_) == ospathjoin_aspect(string_)
+
+
 def test_ospathjoin_wrong_arg():
+    def iterator_with_exception():
+        for i in range(5):
+            yield i
+        raise ValueError("there is a problem in iterator_with_exception")
+
+    with pytest.raises(TypeError):
+        _ = os.path.join("root", 42, "foobar")
+
+    with pytest.raises(TypeError):
+        _ = os.path.join(("a", "b"))
+
+    with pytest.raises(TypeError):
+        _ = os.path.join([PosixPath("a"), PosixPath("b")])
+
+    with pytest.raises(ValueError):
+        _ = os.path.join("".join(iterator_with_exception()))
+
+    with pytest.raises(TypeError):
+        _ = os.path.join([PosixPath("a"), PosixPath("b")])
+
     with pytest.raises(TypeError):
         _ = ospathjoin_aspect("root", 42, "foobar")
 
+    with pytest.raises(TypeError):
+        _ = ospathjoin_aspect(("a", "b"))
+
+    with pytest.raises(TypeError):
+        _ = ospathjoin_aspect([PosixPath("a"), PosixPath("b")])
+
+    with pytest.raises(ValueError):
+        _ = ospathjoin_aspect("".join(iterator_with_exception()))
+
+
+@given(text())
+def test_ospathnormcase_no_exceptions(string_):
+    assert os.path.normcase(PosixPath(string_)) == ospathnormcase_aspect(PosixPath(string_))
+    assert os.path.normcase(string_) == ospathnormcase_aspect(string_)
+
+
+@given(text())
+def test_ospathsplit_no_exceptions(string_):
+    assert os.path.split(PosixPath(string_)) == ospathsplit_aspect(PosixPath(string_))
+    assert os.path.split(string_) == ospathsplit_aspect(string_)
+
+
+@pytest.mark.skipif(sys.version_info < (3, 12) and os.name != "nt", reason="Requires Python 3.12 or Windows")
+@given(text())
+def test_ospathsplitdrive_no_exceptions(string_):
+    assert os.path.splitdrive(PosixPath(string_)) == ospathsplitdrive_aspect(PosixPath(string_))
+    assert os.path.splitdrive(string_) == ospathsplitdrive_aspect(string_)
+
+
+@given(text())
+def test_ospathsplitext_no_exceptions(string_):
+    assert os.path.splitext(PosixPath(string_)) == ospathsplitext_aspect(PosixPath(string_))
+    assert os.path.splitext(string_) == ospathsplitext_aspect(string_)
+
+
+@pytest.mark.skipif(sys.version_info < (3, 12), reason="Requires Python 3.12")
+@given(text())
+def test_ospathsplitroot_no_exceptions(string_):
+    assert os.path.splitroot(PosixPath(string_)) == ospathsplitroot_aspect(PosixPath(string_))
+    assert os.path.splitroot(string_) == ospathsplitroot_aspect(string_)
+
 
 def test_ospathjoin_bytes_nottainted():
     res = ospathjoin_aspect(b"nottainted", b"alsonottainted")
@@ -255,11 +378,6 @@ def test_ospathbasename_nottainted():
     assert not get_tainted_ranges(res)
 
 
-def test_ospathbasename_wrong_arg():
-    with pytest.raises(TypeError):
-        _ = ospathbasename_aspect(42)
-
-
 def test_ospathbasename_bytes_tainted():
     tainted_foobarbaz = taint_pyobject(
         pyobject=b"/foo/bar/baz",
@@ -403,11 +521,6 @@ def test_ospathdirname_nottainted():
     assert not get_tainted_ranges(res)
 
 
-def test_ospathdirname_wrong_arg():
-    with pytest.raises(TypeError):
-        _ = ospathdirname_aspect(42)
-
-
 def test_ospathdirname_bytes_tainted():
     tainted_foobarbaz = taint_pyobject(
         pyobject=b"/foo/bar/baz",
